Not related to use_byte_certs.
SecTrustGetResult is showing a CSSMERR_TP_INVALID_CERTIFICATE error on the target cert statuscode from SecTrustGetResult and on the overall SecTrustGetCssmResultCode. I'm not sure what it doesn't like about it.

Matt: Do you have any bandwdith to chase this down? Safari provides this as untrusted with click-through, but I'm not clear if they're masking off TP_INVALID_CERTIFICATE. Keychain can also display/parse the chain, at least on 10.12.6
While tempted to close this as WontFix, parsing it as invalid is undesirable.

Poked a bit more. If I remove the policyConstraints (with requireExplicitPolicy) on the intermediate, the CSSMERR_TP_INVALID_CERTIFICATE goes away and we just get ERR_CERT_AUTHORITY_INVALID as expected.
Attached two hacked-up cert chains.
1: has caIssuers removed from AIA, and re-signed with new keys.
2: same as 1, plus with policyConstraints removed from the intermediate cert.
chain 1 still gets the CSSMERR_TP_INVALID_CERTIFICATE error.
chain 2 does not.